[Samba] authn timeouts enumerating (and connecting to) shares

Aaron Johnson ajohnson1 at godaddy.com
Mon Aug 22 18:56:30 UTC 2022 

Hello Samba users!

I’m experiencing an odd (hopefully, it’s odd to everyone and not just me) issue with Alma Linux 8.6’s samba-4.15.5-8.el8_6.x86_64 (and related) release.

In short, I have a domain member Samba server with just the magic [homes] share defined in smb.conf.  Mildly sanitized “testparm -s” output:

Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed

Server role: ROLE_DOMAIN_MEMBER

# Global parameters
[global]
                ldap connection timeout = 3
                ldap timeout = 3
                load printers = No
                log file = /var/log/samba/%m.log
log level = kerberos:10 auth:10 auth_audit:10 winbind:10
                ntlm auth = ntlmv1-permitted
                printcap name = /dev/null
                realm = MYDOMAIN.MYORG.COM
                security = ADS
                server role = member server
                winbind max domain connections = 10
                workgroup = MYDOMAIN
                idmap config MYDOMAIN : range = 100000-9999999
                idmap config MYDOMAIN : schema_mode = rfc2307
                idmap config MYDOMAIN : backend = ad
                idmap config * : range = 0-99999
                idmap config * : backend = tdb

[homes]
                browseable = No
                comment = Home Directories
                inherit acls = Yes
               read only = No
                valid users = %S %D%w%S

(I’ve added the “log level” setting in there as testparm didn’t print it.)

Trying to list out any shares on this server results in an NT_STATUS_IO_TIMEOUT like so:

[myuser at myserver ~]$ time smbclient -d 2 -U MYDOMAIN\\myuser -L myserver.myorg.com
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
added interface eth0 ip=10.10.10.10 bcast=10.10.11.255 netmask=255.255.252.0
tdb(/var/lib/samba/lock/gencache.tdb): tdb_open_ex: could not open file /var/lib/samba/lock/gencache.tdb: Permission denied
Password for [MYDOMAIN\ajohnson1]:
session setup failed: NT_STATUS_IO_TIMEOUT

real        0m27.191s
user       0m0.040s
sys          0m0.034s
[myuser at myserver ~]$

Watching the logs, I can see that smbd sends a query to winbind which is promptly responded to with an NT_STATUS_OK:
[2022/08/08 14:52:25.779975, 10, pid=2686623, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd.c:805(process_request_done)
  process_request_done: [smbd(2742274):PAM_AUTH_CRAP]: NT_STATUS_OK
[2022/08/08 14:52:25.780085, 10, pid=2686623, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd.c:849(process_request_written)
  process_request_written: [smbd(2742274):PAM_AUTH_CRAP]: delivered response to client
[2022/08/08 14:52:30.888462,  5, pid=2686623, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_dual.c:856(winbind_child_died)
  Already reaped child 2742291 died

Smbd then seems to do nothing with that for 2 minutes:
[2022/08/08 14:54:32.008739, 10, pid=2741857, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth_util.c:1924(check_account)
  check_account: Failed to find authenticated user MYDOMAIN\myuser via getpwnam(), fallback to sid_to_uid(S-1-5-21-1632765165-691681574-1546849883-1185380).
[2022/08/08 14:54:32.009822,  3, pid=2741857, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:269(auth_check_ntlm_password)
  auth_check_ntlm_password: winbind authentication for user [myuser] succeeded
[2022/08/08 14:54:32.010332,  5, pid=2741857, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:296(auth_check_ntlm_password)
  check_ntlm_password:  PAM Account for user [myuser] succeeded
[2022/08/08 14:54:32.010480,  3, pid=2741857, effective(0, 0), real(0, 0), class=auth_audit] ../../auth/auth_log.c:653(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [MYDOMAIN]\[myuser] at [Mon, 08 Aug 2022 14:54:32.010447 MST] with [NTLMv2] status [NT_STATUS_OK] workstation [MYSAMBASERVER] remote host [ipv4:10.10.10.10:48880] became [MYDOMAIN]\[myuser] [S-1-5-21-1632765165-69168157
4-1546849883-1185380]. local host [ipv4:10.10.10.10:445]
[2022/08/08 14:54:32.010573,  2, pid=2741857, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:330(auth_check_ntlm_password)
  check_ntlm_password:  authentication for user [myuser] -> [myuser] -> [myuser] succeeded
[2022/08/08 14:54:32.011362, 10, pid=2741857, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec.c:456(gensec_update_send)
  gensec_update_send: ntlmssp[0x563bc7f52c70]: subreq: 0x563bc7f43740

And smbclient has long since given up on getting a response.

Does anyone out there have any ideas why the 2 minute delay is happening?  I’d really love to get this working correctly – we’d like to retire of all our proprietary appliance based filers and move to clustered Samba with a CephFS backend.  As you might imagine, having clients unable to authenticate is a pretty big road block in that right now.

Thanks in advance.

More information about the samba mailing list